Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12.
History

Tue, 12 Nov 2024 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Icinga
Icinga icinga Web 2
CPEs cpe:2.3:a:icinga:icinga_web_2:*:*:*:*:*:*:*:*
Vendors & Products Icinga
Icinga icinga Web 2
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 12 Nov 2024 17:00:00 +0000

Type Values Removed Values Added
Description Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12.
Title Icinga 2 has a TLS Certificate Validation Bypass for JSON-RPC and HTTP API Connections
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-11-12T16:44:01.713Z

Updated: 2024-11-12T17:06:41.572Z

Reserved: 2024-10-14T13:56:34.811Z

Link: CVE-2024-49369

cve-icon Vulnrichment

Updated: 2024-11-12T17:05:47.848Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-12T17:15:08.250

Modified: 2024-11-13T17:01:58.603

Link: CVE-2024-49369

cve-icon Redhat

No data.